CM-08 System Component Inventory
a. Develop and document an inventory of system components that:
1. Accurately reflects the system;
2. Includes all components within the system;
3. Does not include duplicate accounting of components or components assigned to any other system;
4. Is at the level of granularity deemed necessary for tracking and reporting; and
5. Includes the following information to achieve system component accountability: cm-08_odp.01 ; and
b. Review and update the system component inventory cm-08_odp.02.
System components are discrete, identifiable information technology assets that include hardware, software, and firmware. Organizations may choose to implement centralized system component inventories that include components from all organizational systems. In such situations, organizations ensure that the inventories include system-specific information required for component accountability. The information necessary for effective accountability of system components includes the system name, software owners, software version numbers, hardware inventory specifications, software license information, and for networked components, the machine names and network addresses across all implemented protocols (e.g., IPv4, IPv6). Inventory specifications include date of receipt, cost, model, serial number, manufacturer, supplier information, component type, and physical location.
Preventing duplicate accounting of system components addresses the lack of accountability that occurs when component ownership and system association is not known, especially in large or complex connected systems. Effective prevention of duplicate accounting of system components necessitates use of a unique identifier for each component. For software inventory, centrally managed software that is accessed via other systems is addressed as a component of the system on which it is installed and managed. Software installed on multiple organizational systems and managed at the system level is addressed for each individual system and may appear more than once in a centralized component inventory, necessitating a system association for each software instance in the centralized inventory to avoid duplicate accounting of components. Scanning systems implementing multiple network protocols (e.g., IPv4 and IPv6) can result in duplicate components being identified in different address spaces. The implementation of CM-8(7) can help to eliminate duplicate accounting of components.
- OMB A-130 Office of Management and Budget Memorandum Circular A-130, *Managing Information as a Strategic Resource* , July 2016.
- SP 800-57-1 Barker EB (2020) Recommendation for Key Management: Part 1 – General. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 1, Rev. 5.
- SP 800-57-2 Barker EB, Barker WC (2019) Recommendation for Key Management: Part 2 – Best Practices for Key Management Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 2, Rev. 1.
- SP 800-57-3 Barker EB, Dang QH (2015) Recommendation for Key Management, Part 3: Application-Specific Key Management Guidance. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 3, Rev. 1.
- SP 800-128 Johnson LA, Dempsey KL, Ross RS, Gupta S, Bailey D (2011) Guide for Security-Focused Configuration Management of Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-128, Includes updates as of October 10, 2019.
- IR 8011-2 Dempsey KL, Eavy P, Moore G (2017) Automation Support for Security Control Assessments: Volume 2: Hardware Asset Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8011, Volume 2.
- IR 8011-3 Dempsey KL, Eavy P, Goren N, Moore G (2018) Automation Support for Security Control Assessments: Volume 3: Software Asset Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8011, Volume 3.
Control Enhancements 9
- CM-08(01) Updates During Installation and Removal L M H P
- CM-08(02) Automated Maintenance L M H P
- CM-08(03) Automated Unauthorized Component Detection L M H P
- CM-08(04) Accountability Information L M H P
- CM-08(05) No Duplicate Accounting of Components
- CM-08(06) Assessed Configurations and Approved Deviations L M H P
- CM-08(07) Centralized Repository L M H P
- CM-08(08) Automated Location Tracking L M H P
- CM-08(09) Assignment of Components to Systems L M H P
Related controls 17
- CM-02 Baseline Configuration L M H P
- CM-07 Least Functionality L M H P
- CM-09 Configuration Management Plan L M H P
- CM-10 Software Usage Restrictions L M H P
- CM-11 User-installed Software L M H P
- CM-13 Data Action Mapping L M H P
- CP-02 Contingency Plan L M H P
- CP-09 System Backup L M H P
- MA-02 Controlled Maintenance L M H P
- MA-06 Timely Maintenance L M H P
- PE-20 Asset Monitoring and Tracking L M H P
- PL-09 Central Management L M H P
- PM-05 System Inventory L M H P
- SA-04 Acquisition Process L M H P
- SA-05 System Documentation L M H P
- SI-02 Flaw Remediation L M H P
- SR-04 Provenance L M H P